Kevin Mandia, CEO
Picture this. You are sitting at your desk at work, and suddenly, news comes that there has been a cybersecurity attack, and your company is a victim. The first thought in your head is about the lost data—what has been compromised. At this point, nothing can be done, it is already too late. The hacker has bypassed the security barricades you have put in place and has escaped with core data.
This situation is very prevalent these days. In an attempt to curb such attacks, organizations are hunting for solutions to detect network breaches and ways for the issues to be investigated immediately post the attack, in order to determine the impact and figure out the amount of data lost, plan containment measures and secure the network from repeat attacks.
The organization’s primary focus moves from detection to containment. If the relevant questions are not asked, it can often lead to further loss of data because every minute is valuable after an attack. So it is paramount that the right questions are asked to rapidly identify the extent of the damage; for containment as well as for public relations, legal and privacy reasons.
Precautionary measures should be put in place as soon as possible, so that in the event that an attack occurs, you will not hear about it after it has happened, but rather, during the early stages of the attack so that it can be stopped, dead in its tracks. At the most basic security level organizations must be able to identify how the attackers gained access to their systems, whether they are still lurking around in the enterprise’s network accessing other files. Finally, it is paramount to find out what data has been stolen, in order to get into damage control mode and have contingencies in place for such instances.
FireEye [NASDAQ: FEYE] is a leading digital forensics firm in this business. The premium solutions provider pairs the industry’s fastest lossless network data capture and retrieval solution with centralized analysis and visualization. With this setup, over the years, FireEye has amassed a lot of experience about the lack of visibility of endpoints and networks, making it harder for its investigators. Repeatedly, it has found that there is inadequate data on which to perform the analytics in order to reach a conclusion. In many cases, the information was often missing, making it impossible. “You can’t just be good at network security or just good at endpoint or just good at asset discovery. You’ve got to be good at email security, endpoint security, and network security. You want to bring it all together. We are detecting millions of attacks a week, and when we detect them, that is a problem. We are the second goalie in the net. So attacks are still real,” says Kevin Mandia, CEO of FireEye.
According to FireEye, nearly all (97 percent) organizations had been breached, meaning at least one attacker had bypassed all layers of their defense-in-depth architecture.
FireEye Network Forensics enables users to identify and resolve security breaches and incidents at a much faster rate by capturing and indexing complete packets of data rapidly
With cybersecurity, the main selling-point is mitigating and managing the amount of risk—this is critical in order for organizations to know where they stand which requires a lot of planning from the ground up. This is FireEye’s strong suit. The company works with clients to identify the goals, risks, and priorities that need to be managed to build the security strategy. “While FireEye remains vigilant on the front lines combatting cyber attacks, we understand that reducing risk requires significant cooperation and contributions from outside the technology industry,” explains Mandia.
Headquartered in Milpitas, CA, FireEye Network Forensics enables users to identify and resolve security breaches and incidents at a much faster rate by capturing and indexing complete packets of data rapidly. With Network Forensics, a broad array of security incidents can be detected; it will also improve the quality of the response; with the capability to precisely quantify the impact of each episode. The company’s Investigation Analytics System is a forensics analytics platform that bolsters and expedites incident investigation. It is a standalone system that works in tandem with the Network Forensics platform, extending the entire system’s functionality through an easy-to-use analytical interface that is centralized across the client’s network meta-data. Network Forensics forms an important aspect of successful security programs—it plays a role in the day-to-day workflow of security operations. Even if the role of Network Forensics is clearly defined for the security professional, the underlying value is often difficult to explain to executives and decision-makers in firms.
FireEye’s Endpoint Security platform offers the best of legacy security products that have been enhanced with technology, intelligence, and expertise in order to defend hosts against today’s generation of cyber attacks. To prevent common malware from infecting systems, Endpoint Security employs a signature-based endpoint protection platform (EPP) engine. When there is no signature present, the platform uses MalwareGuard—FireEye’s machine learning platform that has been reinforced with knowledge of cyber attacks from the frontline.
FireEye’s Network Forensics can detect a broad spectrum of security aspects and has the capability to precisely quantify the magnitude of each and every incident. The Investigation Analysis platform is included as part of the Network Forensics solution, which identifies hidden threats and speeds up the incident responses by providing a centralized workbench that employs an easy-to-use analytical interface. The workbench enables users to accelerate the process by identifying the alerts that require an extensive investigation—this allows them to narrow their focus only on the things that matter to the specific investigation. At the end of the day, the faster the answer is received, the more protection clients will receive. Analysts can use the tools to review specific network packets and session before an attack or even during and after the attack has happened.
This gives them the ability to reconstruct the events that encompassed the attack, such as; what triggered the download of the malware or how it beat the security precautions put in place. This will swiftly put an end to the problem by preventing the reoccurrence of the attack.
The two solutions are available in two ‘jumpstart’ flavors: Basic and Advanced. Basic is for organizations that have only recently purchased the Network Forensics platform and require expertise when deploying the platform on their systems. This expertise will also aid the clients when it comes to performance and integration; giving clients a better understanding of the platform’s API. The Advanced package is for those organizations that purchase, both, the Network Forensics platform as well as the Investigation Analytics System platform. This includes all the features of the Basic package as well as intuitive custom dashboards for the Investigation Analytics System. FireEye’s Jumpstart services implement FireEye expertise and methodologies to the attached storage of clients, architecture deployment investigation workflow processes, and packet capture (PCAP) analysis.
"By employing malware analysis tools, cybersecurity experts analyze the lifecycle of the attack and extract forensic details in order to enhance the threat intelligence platform further"
FireEye’s network capture appliances are able to capture lossless packets of data up to 20 GBPS that use open standards for the best flexibility—RESTful API, PCAP, Netflow v9, IPFIX. The company’s experts assist clients with the design of the architecture, storage setup and configuration of the two platforms—Network Forensics and the custom dashboards of the Investigative Analysis system. The experts can expand the visibility into the attacker’s activity by decoding certain protocols that are typically used to spread the attack across the network in a lateral fashion. The Investigation Analysis System supports multiple configurations, from single node and distributed architecture to optimized bandwidth and metadata performance aggregation, analytics, and queries. This is followed by a series of tests of both the platforms in order to minimize any risk and to ensure that they are both working fine and that they have been configured properly. FireEye also continually conducts in-depth reviews of the dashboards and processes in order to find suspicious items in the enterprise’s network.
The company also offers malware analysis as it is an essential aspect of preventing and detecting future cyber attacks. By employing malware analysis tools, cybersecurity experts analyze the lifecycle of the attack and extract forensic details in order to enhance the threat intelligence platform further. FireEye’s Malware Analysis (AX series) products provide secure environments so that malicious software can be tested for documentation and characterization. It formulates the entire lifecycle—from initial exploit to execution path to the callback destination.
In a world where data is becoming the new currency for enterprises and the constantly evolving cyber attacks, it is of utmost importance that organizations have the solutions put in place to combat these threats. FireEye is ideally placed in this regard, and its forensic solutions will undoubtedly help organizations to better protect themselves from impending cyber attacks. “We continue to drive innovation across our product portfolio, add new features and functionality, and update our pricing and packaging. Our frontline knowledge of the threat landscape and how organizations are combating cyber attacks is at the heart of our unique innovation cycle. FireEye network, email and endpoint security products continue to detect attacks that evade other security solutions,” concludes Mandia.